finjan NG-8000 User Manual
Integrated ssl scanning
Hide thumbs
Also See for NG-8000:
- Installation and setup manual (84 pages) ,
- Setup and configuration manual (96 pages) ,
- User manual (18 pages)
Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for finjan NG-8000
Summary of Contents for finjan NG-8000
- Page 1 Integrated SSL Scanning Version 9.2...
- Page 2 © Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries (“Finjan”). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute,...
-
Page 3: Table Of Contents
Authority Information Access [new in 9.2] SSL Certificate Errors HTTPS Policies Configuring HTTPS Support HTTPS Configurable Parameters Transparent HTTPS Transparent HTTPS Scanning and Finjan’s Certificate Page iii... -
Page 4: Introduction
HTTPS. HTTPS configuration can be carried out system-wide or per Scanning Server. In addition to the scanning solution for HTTP traffic, Finjan also provides certificate validation functionality. This ensures that corporate policies regarding certificates are enforced by automatically validating each certificate and ensuring that the chain returns to the trusted authority. -
Page 5: Certificate Validation
A list of trusted certificate authorities is supplied with the system and is used for digital signature analysis and for HTTPS certificate validation. Digital certificate lists are updated via Finjan security updates. These lists include the required trusted certificate authorities and Certificate Revocation Lists (CRLs). - Page 6 Format error in CRL's lastUpdate field The CRL lastUpdate field contains an invalid time. Format error in CRL's nextUpdate field The CRL nextUpdate field contains an invalid time. Certificate revoked The certificate has been revoked. Page 3 Finjan proprietary and confidential...
- Page 7 Root certificate could not be found locally The certificate chain could be built using the untrusted certificates, but the root could not be found locally. Page 4 Finjan proprietary and confidential...
- Page 8 Key usage does not include certificate The current candidate issuer signing certificate was rejected because its keyUsage extension did not permit certificate signing. Page 5 Finjan proprietary and confidential...
-
Page 9: Certificate Management [New For 9.2]
(CSR). After the generation of the CSR, the system administrator can export the request (which is signed by the private key of Vital Security) and send it to the Certificate Authority. The CA will then generate a Page 6 Finjan proprietary and confidential... -
Page 10: Authority Information Access [New In 9.2]
Web server sends only the end-user’s own SSL certificate, which includes a link to the issuers of the certificate. The end-user’s browser then follows that link and validates the issuers of the SSL certificate. AIA support includes two components: Page 7 Finjan proprietary and confidential... -
Page 11: Ssl Certificate Errors
Scanning Server. The Scanning Server uses the certificate it already generated (as described above). As the certificate is self-signed by Finjan, and is not trusted by the end-user’s browser, the user will receive a warning... - Page 12 To prevent the end-users from receiving this warning message, system administrators can do one of the following: ♦ Install Finjan’s certificate on the end-user’s browser as a trusted root certificate authority. ♦ Install a certificate on all the Scanning Servers, issued by the organization’s CA root certificate, which is already trusted by all users.
- Page 13 The Certificate Information window is displayed. Click Install Certificate. The Certificate Import Wizard opens. Follow the wizard to completion. The Finjan certificate is now added to the browser’s trusted sites list. To confirm that the certificate has been added navigate in your browser to Tools...
- Page 14 Navigate to Administration System Settings Finjan Devices. Click the IP address. Click to expand Scanning Server, right-click HTTPS, and select Import Root Certificate. The following window is displayed: Figure 5 - Import Root Certificate Page 11 Finjan proprietary and confidential...
- Page 15 Paste the Certificate and Private Key information in the relevant fields, and type the Password. Click OK. Otherwise, Cancel. NOTE: For multiple Scanning Servers, the Device General Settings option can be used instead of repeating the procedure on each Scanning Server. Page 12 Finjan proprietary and confidential...
-
Page 16: Https Policies
The blocking mechanism is based on white lists, URL categorization, and validation of certificates for errors. Finjan provides two preconfigured HTTPS policies: ♦ Default HTTPS Policy: This policy contains only one rule, which is designed to block any sites that contain faulty certificates. -
Page 17: Https Configurable Parameters
This is enabled by default. Allow Weak Cipher Suites Allows the choice of weak (non-secure) cipher suites when performing an SSL handshake between Vital Security and the HTTPS server. This option is disabled by default. Page 14 Finjan proprietary and confidential... - Page 18 Allowed Server Ports System administrators can configure which port numbers are allowed for HTTPS traffic. If the remote HTTPS server does not listen on the default TCP port number 443, other port numbers can be added. Page 15 Finjan proprietary and confidential...
-
Page 19: Transparent Https
IP address only. Due to the nature of the HTTPS protocol, when the End-User sends HTTPS traffic in transparent mode, Finjan’s Vital Security Scanning Server doesn’t not see the requested host (it sees only the destination IP address) and policies, related to the URL (such as bypass scanning or URL categorization) do not work. -
Page 20: Transparent Https Scanning And Finjan's Certificate
Integrated SSL Scanning Transparent HTTPS Scanning and Finjan’s Certificate Although HTTPS scanning is transparent to the end-user, it is still mandatory to install the SSL certificate of the Scanning Server on the end- user’s PC to prevent security warnings. When the end-user browses an HTTPS site, the Scanning Server generates an on-the-fly certificate, signs the certificate, and sends it to the end-user.